I also manage users using AD (and likewise-open deployed with puppet), and I've had a similar issue. I couldn't find an elegant way to deploy ssh public keys "only if" the home dir exists.
I do NOT want the user homedir to be created by puppet! (It must be created by likewise-open if the user logs in.) I also don't want errors to occur if the user folder doesn't exist. So I need a "conditional" like: "IF homedir exists => deploy .ssh/authorized_keys , else do nothing" As far as I know this is not possible with puppet. Still didn't spend a lot of time on it but for now, the only (ugly) alternative I could find was the suggestion to download all the available public keys to a temp folder to every puppet client (via "file" type), and then via "exec" run a script that scans the existing home folders and copy the corresponding authorized_keys to the .ssh/ folder. Better ideas anyone ? Gr, Marcello > -----Original Message----- > From: puppet-users@googlegroups.com [mailto:puppet- > us...@googlegroups.com] On Behalf Of Michael Gliwinski > Sent: donderdag 25 februari 2010 10:54 > To: puppet-users@googlegroups.com > Cc: Andrew Schulman > Subject: Re: [Puppet Users] ssh::auth server dependency on ~/.ssh and a > scoping question > > On Wednesday 24 Feb 2010 18:12:18 Andrew Schulman wrote: > > > Hi Andrew, > > > > > > Just noticed that ssh::auth::server doesn't require the resource > for > > > ~/.ssh directory. Considering the documentation says it does (in > > > Examples -> 1. With account management at the bottom mentions that > > > 'require => [User[$title], File["$home/.ssh"]]' is implicitly > included in > > > both client and server), I thought I'll report it. > > > > > > This works fine for ssh::auth::server because it uses a file > resource for > > > the ~/.ssh/$filename file, so ~/.ssh is autorequired by puppet (if > > > defined). > > > > OK, thanks for pointing this out. Looking back at it now, I think I > was > > probably counting on ssh_authorized_key requiring File[$home/.ssh]. > But > > that doesn't seem to be explicit anywhere, so I'll add it in > explicitly for > > the next point release. And the user too, while I'm at it. > > Actually, the user dependency is already there. But now that you > mention it, > do you think it would be OK to make it optional, e.g. as in `if > defined(User[foo]) { ... }`? I actually had to disable it as I don't > manage > users in puppet (I use nss_ldap and users are in AD). > > I realize this can lead to failures when user's home directory doesn't > exist, > but it's not critical, i.e. the key will simply be installed when the > directory is created (in case of nss_ldap that is after the first time > a user > logged on). I haven't found a better way to deal with that yet, if you > have > better ideas, please share :) > > > > Also, while I'm at it, I wanted to ask a question related to > scoping. > > > Don't know if it's another difference between puppet 0.24.8 and > 0.25.x, > > > can't find any docs mentioning that. Anyway the problem manifests > itself > > > in that simple manifest: > > > > > > ---- > > > import "auth.pp" > > > > > > include ssh::auth > > > > > > Ssh::Auth::Key { length => 4096 } > > > > > > ssh::auth::key { 'foo': } > > > > > > include ssh::auth::keymaster > > > file { '/home/foo/.ssh': ensure => directory, mode => 700, owner => > > > 'foo', group => 'puppet' } > > > ssh::auth::client { 'foo': group => 'foo' } > > > ---- > > > > > > this is a simplified manifest which I ran with standalone puppet > and it > > > produces the following error: > > > > > > Only subclasses can override parameters at /root/puppet- > > > tests/sshauth/auth.pp:113 on node ... > > > > > > The problem here is the "group => 'foo'" param passed to > > > ssh::auth::client. It doesn't really matter which parameter it is > though > > > as the issue seems to be that the ssh::auth::client (or > > > ssh::auth::server) define cannot override properties of a resource > > > declared in ssh::auth::key define. > > > > > > I searched a bit for something on defines overriding parameters of > > > resources and found a thread here on puppet-users [1] which implies > this > > > isn't possible. > > > > > > Does that work in 0.25.x ? > > > > I'll have to spend a little time looking into this. The whole > purpose of > > the way I set up the defines and virtual resources was to be able to > > override parameters. The last time I tried it, it worked. I guess > it's a > > conflict with the file resource in your manifest? I'll see what I > can > > figure out and get back to you. > > AFAICS, ssh::auth doesn't declare the '${home}/.ssh' directory and it > is the > only file resource in the manifest above. > > Don't know, to be honest scoping and related issues in Puppet DSL have > always > confused the heck out of me ;) > > > > > Andrew. > > > > Thanks Andrew, let me know if I can help. > > > -- > Michael Gliwinski > Henderson Group Information Services > 9-11 Hightown Avenue, Newtownabby, BT36 4RT > Phone: 028 9034 3319 > > *********************************************************************** > *********************** > The information in this email is confidential and may be legally > privileged. It is intended solely for the addressee and access to the > email by anyone else is unauthorised. > If you are not the intended recipient, any disclosure, copying, > distribution or any action taken or omitted to be taken in reliance on > it, is prohibited and may be unlawful. > When addressed to our clients, any opinions or advice contained in this > e-mail are subject to the terms and conditions expressed in the > governing client engagement leter or contract. > If you have received this email in error please notify > supp...@henderson-group.com > > John Henderson (Holdings) Ltd > Registered office: 9 Hightown Avenue, Mallusk, County Antrim, Northern > Ireland, BT36 4RT. > Registered in Northern Ireland > Registration Number NI010588 > Vat No.: 814 6399 12 > *********************************************************************** > ********** > > -- > You received this message because you are subscribed to the Google > Groups "Puppet Users" group. > To post to this group, send email to puppet-us...@googlegroups.com. > To unsubscribe from this group, send email to puppet- > users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
